Update role policies for system admin

This change makes the policy definitions for admin role operations
consistent with other role policies. Subsequent patches will
incorporate:

 - domain user test coverage
 - project user test coverage

Change-Id: I35a2af10d47e000ee6257ce16c52c7e49a62b033
Related-Bug: 1806713
Closes-Bug: 1805402
This commit is contained in:
Lance Bragstad 2018-12-04 18:07:07 +00:00
parent d437365444
commit 2ca4836a95
3 changed files with 112 additions and 6 deletions

View File

@ -23,6 +23,18 @@ deprecated_list_role = policy.DeprecatedRule(
name=base.IDENTITY % 'list_roles',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_update_role = policy.DeprecatedRule(
name=base.IDENTITY % 'update_role',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_create_role = policy.DeprecatedRule(
name=base.IDENTITY % 'create_role',
check_str=base.RULE_ADMIN_REQUIRED
)
deprecated_delete_role = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_role',
check_str=base.RULE_ADMIN_REQUIRED
)
DEPRECATED_REASON = """
As of the Stein release, the role API now understands default roles and
@ -64,25 +76,34 @@ role_policies = [
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_role',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Create role.',
operations=[{'path': '/v3/roles',
'method': 'POST'}]),
'method': 'POST'}],
deprecated_rule=deprecated_create_role,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_role',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Update role.',
operations=[{'path': '/v3/roles/{role_id}',
'method': 'PATCH'}]),
'method': 'PATCH'}],
deprecated_rule=deprecated_update_role,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'delete_role',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Delete role.',
operations=[{'path': '/v3/roles/{role_id}',
'method': 'DELETE'}]),
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_role,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_domain_role',
check_str=base.RULE_ADMIN_REQUIRED,

View File

@ -151,3 +151,56 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
class SystemAdminTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserRoleTests):
def setUp(self):
super(SystemAdminTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
# Reuse the system administrator account created during
# ``keystone-manage bootstrap``
self.user_id = self.bootstrapper.admin_user_id
auth = self.build_authentication_request(
user_id=self.user_id,
password=self.bootstrapper.admin_password,
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_user_can_create_roles(self):
create = {'role': unit.new_role_ref()}
with self.test_client() as c:
c.post('/v3/roles', json=create, headers=self.headers)
def test_user_can_update_roles(self):
role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, unit.new_role_ref()
)
update = {'role': {'description': uuid.uuid4().hex}}
with self.test_client() as c:
c.patch(
'/v3/roles/%s' % role['id'], json=update, headers=self.headers,
)
def test_user_can_delete_roles(self):
role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, unit.new_role_ref()
)
with self.test_client() as c:
c.delete('/v3/roles/%s' % role['id'], headers=self.headers)

View File

@ -0,0 +1,32 @@
---
features:
- |
[`bug 1805402 <https://bugs.launchpad.net/keystone/+bug/1805402>`_]
The role API now supports the ``admin``, ``member``, and
``reader`` default roles.
upgrade:
- |
[`bug 1805402 <https://bugs.launchpad.net/keystone/+bug/1805402>`_]
The role API uses new default policies that make it more
accessible to end users and administrators in a secure way. Please
consider these new defaults if your deployment overrides role
policies.
deprecations:
- |
[`bug 1805402 <https://bugs.launchpad.net/keystone/+bug/1805402>`_]
The role policies have been deprecated. The ``identity:get_role`` and
``identity:list_roles`` policies now use ``role:reader and
system_scope:all`` instead of ``rule:admin_required``. The
``identity:create_role``, ``identity:update_role``, and
``identity:delete_role`` policies now use ``role:admin and
system_scope:all`` instead of ``rule:admin_required``. These new
defaults automatically account for system-scope and support a read-only
role, making it easier for system administrators to delegate subsets of
responsibility without compromising security. Please consider these new
defaults if your deployment overrides the role policies.
security:
- |
[`bug 1805402 <https://bugs.launchpad.net/keystone/+bug/1805402>`_]
The role API now uses system-scope and default roles to provide
better accessibility to users in a secure way.